﻿<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>JavaScript过滤SQL注入字符</title>
    <script type="text/javascript" language="JavaScript">
        function check(inputStr){
            if(typeof(inputStr) !== "string"){
                return inputStr;    // 判断是否是字符串字符
            } 
            let tmpValue = inputStr;
            // 以下搜索字符串中的特殊字符，如果存在，则替换成""
            while (tmpValue.indexOf(';') > -1) {
                tmpValue = tmpValue.replace(';',''); 
            }
            while (tmpValue.indexOf('<') > -1) {
                tmpValue = tmpValue.replace('<',''); 
            }
            while (tmpValue.indexOf('>') > -1) {
                tmpValue = tmpValue.replace('>',''); 
            }
            while (tmpValue.indexOf('--') > -1) {
                tmpValue = tmpValue.replace('--',''); 
            }
            while (tmpValue.indexOf(",") > -1) {
                mpValue = tmpValue.replace(",",""); 
            }
            while (tmpValue.indexOf("'") > -1) {
                tmpValue = tmpValue.replace("'",""); 
            }
            while (tmpValue.indexOf("?") > -1) {
                tmpValue = tmpValue.replace("?","");
            }
            document.getElementById("txt1").value = tmpValue;  //重新显示更改后的变量
        }

    </script>
</head>
<body>
<input type=text id="txt1" value="select * from userinfo where username=zhang' and passwrod=2" style="width: 392px">
<input type=button value="提交" onClick="check(txt1.value)">
</body>
</html>